{"dataType": "CVE_RECORD", "dataVersion": "5.2", "cveMetadata": {"cveId": "CVE-2026-27821", "assignerOrgId": "a0819718-46f1-4df5-94e2-005712e83aaa", "state": "PUBLISHED", "assignerShortName": "GitHub_M", "dateReserved": "2026-02-24T02:32:39.799Z", "datePublished": "2026-02-26T00:08:39.924Z", "dateUpdated": "2026-02-26T15:15:39.671Z"}, "containers": {"cna": {"title": "GPAC NHML Demuxer (dmx_nhml.c) Vulnerable to Stack Buffer Overflow", "problemTypes": [{"descriptions": [{"cweId": "CWE-121", "lang": "en", "description": "CWE-121: Stack-based Buffer Overflow", "type": "CWE"}]}], "metrics": [{"cvssV4_0": {"attackVector": "NETWORK", "attackComplexity": "LOW", "attackRequirements": "NONE", "privilegesRequired": "NONE", "userInteraction": "NONE", "vulnConfidentialityImpact": "NONE", "vulnIntegrityImpact": "NONE", "vulnAvailabilityImpact": "HIGH", "subConfidentialityImpact": "NONE", "subIntegrityImpact": "NONE", "subAvailabilityImpact": "NONE", "baseScore": 7.7, "baseSeverity": "HIGH", "vectorString": "CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:N/VI:N/VA:H/SC:N/SI:N/SA:N/E:P", "version": "4.0"}}], "references": [{"name": "https://github.com/gpac/gpac/security/advisories/GHSA-q7qh-8r2r-q559", "tags": ["x_refsource_CONFIRM"], "url": "https://github.com/gpac/gpac/security/advisories/GHSA-q7qh-8r2r-q559"}, {"name": "https://github.com/gpac/gpac/commit/9bd7137fded2db40de61a2cf3045812c8741ec52", "tags": ["x_refsource_MISC"], "url": "https://github.com/gpac/gpac/commit/9bd7137fded2db40de61a2cf3045812c8741ec52"}], "affected": [{"vendor": "gpac", "product": "gpac", "versions": [{"version": "<= 26.02.0", "status": "affected"}]}], "providerMetadata": {"orgId": "a0819718-46f1-4df5-94e2-005712e83aaa", "shortName": "GitHub_M", "dateUpdated": "2026-02-26T00:08:39.924Z"}, "descriptions": [{"lang": "en", "value": "GPAC is an open-source multimedia framework. In versions up to and including 26.02.0, a stack buffer overflow occurs during NHML file parsing in `src/filters/dmx_nhml.c`. The value of the xmlHeaderEnd XML attribute is copied from att->value into szXmlHeaderEnd[1000] using strcpy() without any length validation. If the input exceeds 1000 bytes, it overwrites beyond the stack buffer boundary. Commit 9bd7137fded2db40de61a2cf3045812c8741ec52 patches the issue."}], "source": {"advisory": "GHSA-q7qh-8r2r-q559", "discovery": "UNKNOWN"}}, "adp": [{"references": [{"url": "https://github.com/gpac/gpac/security/advisories/GHSA-q7qh-8r2r-q559", "tags": ["exploit"]}], "metrics": [{"other": {"type": "ssvc", "content": {"timestamp": "2026-02-26T15:15:32.913889Z", "id": "CVE-2026-27821", "options": [{"Exploitation": "poc"}, {"Automatable": "yes"}, {"Technical Impact": "partial"}], "role": "CISA Coordinator", "version": "2.0.3"}}}], "title": "CISA ADP Vulnrichment", "providerMetadata": {"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "shortName": "CISA-ADP", "dateUpdated": "2026-02-26T15:15:39.671Z"}}]}}

{"dataType": "CVE_RECORD", "containers": {"adp": [{"title": "CISA ADP Vulnrichment", "metrics": [{"other": {"type": "ssvc", "content": {"id": "CVE-2026-27821", "role": "CISA Coordinator", "options": [{"Exploitation": "poc"}, {"Automatable": "yes"}, {"Technical Impact": "partial"}], "version": "2.0.3", "timestamp": "2026-02-26T15:15:32.913889Z"}}}], "references": [{"url": "https://github.com/gpac/gpac/security/advisories/GHSA-q7qh-8r2r-q559", "tags": ["exploit"]}], "providerMetadata": {"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "shortName": "CISA-ADP", "dateUpdated": "2026-02-26T15:15:22.144Z"}}], "cna": {"title": "GPAC NHML Demuxer (dmx_nhml.c) Vulnerable to Stack Buffer Overflow", "source": {"advisory": "GHSA-q7qh-8r2r-q559", "discovery": "UNKNOWN"}, "metrics": [{"cvssV4_0": {"version": "4.0", "baseScore": 7.7, "attackVector": "NETWORK", "baseSeverity": "HIGH", "vectorString": "CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:N/VI:N/VA:H/SC:N/SI:N/SA:N/E:P", "userInteraction": "NONE", "attackComplexity": "LOW", "attackRequirements": "NONE", "privilegesRequired": "NONE", "subIntegrityImpact": "NONE", "vulnIntegrityImpact": "NONE", "subAvailabilityImpact": "NONE", "vulnAvailabilityImpact": "HIGH", "subConfidentialityImpact": "NONE", "vulnConfidentialityImpact": "NONE"}}], "affected": [{"vendor": "gpac", "product": "gpac", "versions": [{"status": "affected", "version": "<= 26.02.0"}]}], "references": [{"url": "https://github.com/gpac/gpac/security/advisories/GHSA-q7qh-8r2r-q559", "name": "https://github.com/gpac/gpac/security/advisories/GHSA-q7qh-8r2r-q559", "tags": ["x_refsource_CONFIRM"]}, {"url": "https://github.com/gpac/gpac/commit/9bd7137fded2db40de61a2cf3045812c8741ec52", "name": "https://github.com/gpac/gpac/commit/9bd7137fded2db40de61a2cf3045812c8741ec52", "tags": ["x_refsource_MISC"]}], "descriptions": [{"lang": "en", "value": "GPAC is an open-source multimedia framework. In versions up to and including 26.02.0, a stack buffer overflow occurs during NHML file parsing in `src/filters/dmx_nhml.c`. The value of the xmlHeaderEnd XML attribute is copied from att->value into szXmlHeaderEnd[1000] using strcpy() without any length validation. If the input exceeds 1000 bytes, it overwrites beyond the stack buffer boundary. Commit 9bd7137fded2db40de61a2cf3045812c8741ec52 patches the issue."}], "problemTypes": [{"descriptions": [{"lang": "en", "type": "CWE", "cweId": "CWE-121", "description": "CWE-121: Stack-based Buffer Overflow"}]}], "providerMetadata": {"orgId": "a0819718-46f1-4df5-94e2-005712e83aaa", "shortName": "GitHub_M", "dateUpdated": "2026-02-26T00:08:39.924Z"}}}, "cveMetadata": {"cveId": "CVE-2026-27821", "state": "PUBLISHED", "dateUpdated": "2026-02-26T15:15:39.671Z", "dateReserved": "2026-02-24T02:32:39.799Z", "assignerOrgId": "a0819718-46f1-4df5-94e2-005712e83aaa", "datePublished": "2026-02-26T00:08:39.924Z", "assignerShortName": "GitHub_M"}, "dataVersion": "5.2"}

{"configurations": [{"nodes": [{"cpeMatch": [{"criteria": "cpe:2.3:a:gpac:gpac:*:*:*:*:*:*:*:*", "matchCriteriaId": "1E51A88A-96CF-4325-8493-FDB8E41EAC7B", "versionEndIncluding": "26.02.0", "vulnerable": true}], "negate": false, "operator": "OR"}]}], "cveTags": [], "descriptions": [{"lang": "en", "value": "GPAC is an open-source multimedia framework. In versions up to and including 26.02.0, a stack buffer overflow occurs during NHML file parsing in `src/filters/dmx_nhml.c`. The value of the xmlHeaderEnd XML attribute is copied from att->value into szXmlHeaderEnd[1000] using strcpy() without any length validation. If the input exceeds 1000 bytes, it overwrites beyond the stack buffer boundary. Commit 9bd7137fded2db40de61a2cf3045812c8741ec52 patches the issue."}, {"lang": "es", "value": "GPAC es un framework multimedia de c\u00f3digo abierto. En versiones hasta la 26.02.0 inclusive, se produce un desbordamiento de b\u00fafer de pila durante el an\u00e1lisis de archivos NHML en `src/filters/dmx_nhml.c`. El valor del atributo XML xmlHeaderEnd se copia de att-&gt;value a szXmlHeaderEnd[1000] usando strcpy() sin ninguna validaci\u00f3n de longitud. Si la entrada excede los 1000 bytes, sobrescribe m\u00e1s all\u00e1 del l\u00edmite del b\u00fafer de pila. El commit 9bd7137fded2db40de61a2cf3045812c8741ec52 corrige el problema."}], "id": "CVE-2026-27821", "lastModified": "2026-03-11T23:23:32.243", "metrics": {"cvssMetricV31": [{"cvssData": {"attackComplexity": "LOW", "attackVector": "LOCAL", "availabilityImpact": "HIGH", "baseScore": 7.8, "baseSeverity": "HIGH", "confidentialityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "NONE", "scope": "UNCHANGED", "userInteraction": "REQUIRED", "vectorString": "CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H", "version": "3.1"}, "exploitabilityScore": 1.8, "impactScore": 5.9, "source": "nvd@nist.gov", "type": "Primary"}], "cvssMetricV40": [{"cvssData": {"Automatable": "NOT_DEFINED", "Recovery": "NOT_DEFINED", "Safety": "NOT_DEFINED", "attackComplexity": "LOW", "attackRequirements": "NONE", "attackVector": "NETWORK", "availabilityRequirement": "NOT_DEFINED", "baseScore": 7.7, "baseSeverity": "HIGH", "confidentialityRequirement": "NOT_DEFINED", "exploitMaturity": "PROOF_OF_CONCEPT", "integrityRequirement": "NOT_DEFINED", "modifiedAttackComplexity": "NOT_DEFINED", "modifiedAttackRequirements": "NOT_DEFINED", "modifiedAttackVector": "NOT_DEFINED", "modifiedPrivilegesRequired": "NOT_DEFINED", "modifiedSubAvailabilityImpact": "NOT_DEFINED", "modifiedSubConfidentialityImpact": "NOT_DEFINED", "modifiedSubIntegrityImpact": "NOT_DEFINED", "modifiedUserInteraction": "NOT_DEFINED", "modifiedVulnAvailabilityImpact": "NOT_DEFINED", "modifiedVulnConfidentialityImpact": "NOT_DEFINED", "modifiedVulnIntegrityImpact": "NOT_DEFINED", "privilegesRequired": "NONE", "providerUrgency": "NOT_DEFINED", "subAvailabilityImpact": "NONE", "subConfidentialityImpact": "NONE", "subIntegrityImpact": "NONE", "userInteraction": "NONE", "valueDensity": "NOT_DEFINED", "vectorString": "CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:N/VI:N/VA:H/SC:N/SI:N/SA:N/E:P/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X", "version": "4.0", "vulnAvailabilityImpact": "HIGH", "vulnConfidentialityImpact": "NONE", "vulnIntegrityImpact": "NONE", "vulnerabilityResponseEffort": "NOT_DEFINED"}, "source": "security-advisories@github.com", "type": "Secondary"}]}, "published": "2026-02-26T00:16:26.813", "references": [{"source": "security-advisories@github.com", "tags": ["Patch"], "url": "https://github.com/gpac/gpac/commit/9bd7137fded2db40de61a2cf3045812c8741ec52"}, {"source": "security-advisories@github.com", "tags": ["Exploit", "Vendor Advisory"], "url": "https://github.com/gpac/gpac/security/advisories/GHSA-q7qh-8r2r-q559"}, {"source": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "tags": ["Exploit", "Vendor Advisory"], "url": "https://github.com/gpac/gpac/security/advisories/GHSA-q7qh-8r2r-q559"}], "sourceIdentifier": "security-advisories@github.com", "vulnStatus": "Analyzed", "weaknesses": [{"description": [{"lang": "en", "value": "CWE-121"}], "source": "security-advisories@github.com", "type": "Secondary"}]}

{}

{"affected": [{"configurations": [{"platform": null, "status": "affected", "versions": {"scheme": "semver", "value": "[0,26.02.0]"}}], "enrichment": {"confidence": 100.0, "confidence_source": "matching", "scores": [{"score": 100.0, "source": "matching"}]}, "original": {"product": "gpac", "source": "cna", "vendor": "gpac"}, "product": "gpac", "vendor": "gpac"}], "analysis": {"en": {"generated_at": "2026-04-17T14:38:45.145161+00:00", "value": {"mitigation_remediation": ["Apply the patch commit 9bd7137fded2db40de61a2cf3045812c8741ec52 by upgrading to GPAC 26.02.1 or later.", "Rebuild GPAC from the latest source if an official release is not yet available.", "If updating is not possible, restrict GPAC\u2019s execution to trusted users or sandbox the application to limit the impact of potential code execution."], "summary": {"action": "Immediate Patch", "impact": "Remote Code Execution"}, "threat_synthesis": {"affected_systems": "GPAC (gpac:gpac) versions up to and including 26.02.0 are affected. Users relying on the GPAC multimedia framework in any environment that processes NHML files should verify the installed version.", "description_and_impact": "A stack buffer overflow occurs while parsing NHML files in GPAC\u2019s demuxer. The xmlHeaderEnd attribute is copied without length checks into a 1000\u2011byte buffer. If an attacker supplies more than 1000 bytes, the copy overruns the stack, potentially corrupting memory and enabling arbitrary code execution within the GPAC process. The vulnerability is characterized as CWE\u2011121 and presents a functional flaw that can compromise the stability, confidentiality and integrity of the application.", "risk_and_exploitability": "The CVSS score of 7.7 indicates a high severity due to likely remote exploitation through crafted input. The EPSS score of less than 1% shows that, as of the data provided, exploitation is not frequently observed, and the vulnerability is not listed in CISA\u2019s KEV catalog. Attackers would need to provide a malicious NHML file\u2014either locally or through any network service that invokes GPAC\u2019s demuxer\u2014an inference drawn from the description. With no monitoring or active exploitation data, the risk remains high until remediated."}}}}, "created": "2026-02-26T13:10:24.844997+00:00", "updated": "2026-04-17T14:45:21.030914+00:00", "vendors": ["gpac", "gpac$PRODUCT$gpac"]}